How to Stay Ahead of Cybersecurity Changes from Financial Regulators in 2025 and 2026

Written By Jordan Gall

The regulatory landscape for financial institutions is evolving rapidly. The process has shifted from discussions to comprehensive questionnaires driven by passive engagements and data mining efforts.  

Through this process, regulators are identifying cybersecurity gaps, shifting from guidance notes, (recommendations) to requirements (regulations). 

Understanding these changes is crucial for financial institutions to remain compliant and avoid potential penalties or fines. For firms without large internal compliance and IT teams, they are often too busy to fully review every guidance note in detail, and it is costly to have an external consultant review every one to ensure compliance (for something that is not yet a requirement at that stage). 

However, we are finding more and more guidance notes that relate to cybersecurity are becoming mandatory requirements and often lead to questions about how to meet requirements before the deadline. This situation highlights the importance of staying informed about regulatory changes and understanding the implications of guidance notes. 

It goes without saying that financial institutions need to engage proactively with regulatory updates and ensure they comply with upcoming requirements. However, we fully appreciate that time and resources spent on compliance only protects the business but doesn’t (at least directly) grow the business.  

While the landscape is evolving, there are ways to stay on top of these changes and ideally stay ahead of them.  

Complete an annual review of your cybersecurity  

Our key tip is to complete an annual review of your cybersecurity with your internal team and/or consultant with a view of addressing current and likely future enhancements. This may sound obvious, but we find that almost all cybersecurity enhancements we’re seeing in the current year are simply best practices from the previous year.  

We have found in most cases that proactive updates generally meet new requirements as they’re rolled out, and it’s more efficient and cost-effective to do them as a batch instead of individually.  

Other tips are as follows -  

  • Proactive Updates: Regularly update your cybersecurity controls. Incremental updates are always less disruptive to a team than big sweeping changes. A good place to start is by reviewing your Microsoft Secure Score. I recently wrote an article for this which you can read here https://buchanantechnology.co.uk/insights/microsoft-secure-score-is-your-guard-on-duty

  • Stay Informed: Make it a part of your quarterly process to keep up to date with current regulatory changes and guidance notes. 

  • Engage in Consultations: Participate in consultations and questionnaires to assess cybersecurity measures and client care practices. You can actually help steer the extent to which particular policies are deployed. 

  • Implement Best Practices: Adopt best practices for data protection, encryption, and third-party due diligence. 

  • Prepare for Regulations: Anticipate that current guidelines will soon become formal regulations and take steps to comply with them.

An example of this regulatory evolution is the recent move by the UK Financial Conduct Authority (FCA) to launch a live AI testing service. Starting in September 2025, UK financial services firms will have the opportunity to test their AI models with regulatory oversight before going public. This initiative supports the FCA’s five-year plan to modernise financial oversight and encourage responsible AI innovation. You can read more about this update here

Additionally, the FCA has outlined a five-year strategy to support growth and improve lives. This strategy focuses on being a smarter regulator, supporting sustained economic growth, helping consumers navigate their financial lives, and fighting financial crime. More information about this strategy can be found here

Regardless of where you are regulated, cybersecurity is a key driver for regulators to protect both licensed firms and clients. While the benefits to maintaining productivity, managing costs and reducing risks are clear, it’s another balancing act with resources to stay on top of them.  

I hope these tips help you to keep your firm more secure, but if you have any questions, please feel free to reach out. 

Jordan Gall

Jordan Gall is a Technology Specialist with over a decade of successful experience enhancing companies use of technology. Jordan has a keen interest in all facets of technology, especially concerning cyber security, mitigating risk for organisations, and creating efficient processes to streamline the use of technology systems and services.

He personally enjoys a good tennis match but can also be found behind a drum kit trying to compose the latest hit rock song.

Next

Why Wealth Management Firms need to Digitise their Value Chain